Mac User – Fixing Expired AddTrust Root CA Certificate Issue

I recently ran into this issue of the Sectigo Root certs expiring on May 30th of this year: https://gist.github.com/minaguib/c8db186af450bceaaa7c452ba6a9901b

I updated the certificate chain on our servers and the change was seamless for all employees and users except ONE USER.

The single user experiencing problems is loading an invalid chain for our website. There is screenshots below.

Server-Side Notes:

The server has been updated and confirmed the certificate & chain is good to go (screenshot attached).
I have one single client that is still loading an invalid cert chain.
The server terminating TLS is an Amazon ALB instance.
The server certificate chain has been validated using an online service for sanity. There is a screenshot below showing this.

Client-Side Notes:

Deleted any "expired" or "invalid" entries in the Mac Keychain.
Searched the Mac Keychain for any reference to "AddTrust"
Fully cleared all browser cache. Chrome is up to date Version 83.0.4103.97 (however Safari also fails, so it's not the browser I don't think)
Date/Time checked

Here is what the end user is seeing in the browser cert chain:

Figured this out.

The user is on MacOS 10.11 (El Capitan) which doesn't have modern root CA's and Apple stopped updating the OS in 2019.

Because of this, the Mac Keychain didn't have the updated Root CA so my site certificate wasn't trusted.

Clients Most Notably Impacted:

Apple Mac OS X 10.11 (El Capitan) or earlier
Apple iOS 9 or earlier
Google Android 5.0 or earlier
Microsoft Windows Vista & 7 if the Update Root Certificates Feature has been disabled since before June 2010
Microsoft Windows XP if an Automatic Root Update has not been received since before June 2010
Mozilla Firefox 35 or earlier
Oracle Java 8u50 or earlier
Embedded devices (especially copy machines) that have not installed a firmware update since before mid-2015

More details: